The structure of MECO includes five business lines with about five administrative areas in each. Each administrative area then has divisions, and within these are departments.
For example, there may be an Operational Services business line that has Industrial Services as an administrative area. Within Industrial Services there may be a Marine division and an Aviation division, which both have fleets of either ships or airplanes being managed by various departments within their respective divisions. This provides an indication of the potential size in these divisions. For example, the Marine division and Aviation division are the size of some small to medium-sized companies that are in existence today.
MECO RISK MANAGEMENT BACKGROUND
Early in 2006, after concluding a study on enterprise risk management (ERM), the Management Committee requested that the ERM team pursue formal project risk management (PRM) as a pilot under the ERM effort within the project management department. Scoping of the pilot began in late 2006 with pilot completion in March 2008. Since 2006, the ERM team has also been following up with other parts of the organization, such as information technology (IT) on its development and implementation of risk management within its organization.
Both project management and IT put together policy and procedure documentation, which was signed off by their division heads, as well as setting up project teams within their departments. These teams included a full-time member and a few part-time members. Within both departments, a Risk Committee was set up that consisted of members from the division as well as department heads whose responsibility would be to escalate those risks that were deemed to be outside their control and to ensure that existing risks were being managed.
In both instances, the project teams eventually transitioned into risk management functions within each department and have now started looking at other aspects of risk such as business continuity and quantitative risk analysis.
The successful implementation of risk management within the project management and IT departments, which was reported in 2009, went a long way to convince the Management Committee to implement a companywide approach to ERM. This companywide approach would mirror the approaches taken in the two departments. In 2009, the CEO, after announcing himself as chief risk officer, instructed Internal Audit to champion ERM with the specific remit of identifying the company's top risks from a bottom-up approach but without the use of consultants. Once work had been completed, it was expected that the risk management project team would come back to the Management Committee to report what the top 10 risks were.
In early 2010, Internal Audit put together an ERM project team made up of one full-time member and four part-time members (all with the title "auditor"). By the end of 2011, they had recruited a second full-time member, also under the title "auditor," while the part-time members ceased to work with the team.
The team was tasked with identifying the top risks facing the company from a bottom-up approach. The project leader did acknowledge that there should be some sort of framework in place and, despite not being part of the remit, he asked the team to consider a Risk Framework that could be suggested briefly to the Management Committee at the same time as the presentation of the top 10 risks. Assuming Management Committee agreement, this Risk Framework could then be implemented at a later date as part of a second phase.
It is important to note that in the Middle East it is commonplace to see risk management sitting within Internal Audit. This is mainly due to Internal Audit being among the first to be exposed to the concept of risk management as well as the fact that the major auditing firms see risk as a way to secure more business with their clients and will sell risk management as an auditing function. Approaches that would be frowned upon by these firms in Europe, Asia, or North America are widely accepted in the Middle East. This is also a major topic of argument between risk managers and auditing firms at ERM conferences across the region.